On Wed, 2009-07-15 at 00:51 +0000, Ian Hickson wrote:
>
> If there are any bytes allowed from the client or the server before
> the
> handshake starts, then it is no longer secure. The idea is to make
> sure
> you can't smuggle though payloads from other protocols, since
> otherwise
> you could use WebSocket to connect to services that aren't expecting
> it.
Then don't use port 80!
If you use port 80 you must expect the following:
- many users will be unable to connect directly to your service
- many users will think they are connecting directly to your service
but will not actually be doing so
AIUI websockets is:
* TCP +
* authentication
I don't really see this having *anything* to do with HTTP.
Perhaps I'm missing something fundamental, but as it stands, I think it
would be more robust, and more secure to say:
Websockets is on IANA port XXXX
the authentication handshake for a websocket server is YYYY
after that its a bidirectional stream of octects just like TCP
If a browser needs to get through a firewall to connect to the websocket
server, we recommend the use of a SOCKS proxy an HTTP proxy supporting
the CONNECT method.
What drives the desire to live on port 80?
-Rob
This archive was generated by hypermail 2.2.0 : Thu Jul 30 2009 - 12:00:09 MDT